I’ll address some of the points in a separate reply.
Actually, I determined the urls already and you have a bunch of nonsense posts from my testing.
but php.net doesn't give one any reference on where in the code one would place their suggested...
That’s because programming is not like painting by the numbers, i.e. put “code A” (green paint) on all the number 1’s, put “code B” (blue paint) on all the number 2’s. Context is very important in programming. So, take the statement - “When you output data on a web page is when you would apply htmlentities() to the data …”. Where in your code are you (dynamically) outputting data on the page? In submissions.php, the data from the SELECT query and the message about no submissions to display, in formcode.php, when there is query error and you display $sql and the msyqli_error information, and for any form action=’…’ attribute where you are using $_SERVER[‘PHP_SELF’], which BTW, you can just leave the action attribute completely out and a html5 form will be submitted to the same page it is on.
I *thought* that this part in my code was doing that process?
The test_input() function is being called on the data that is the input to your code. This is not at the point where you are outputting something to the web page.
How would it get requested by a GET request ...
By posting url’s to it in forums that get indexed by search engines. Search engines will ONLY make get requests. If you ALWAYS enclose your post method form processing code in a test so that it will only be executed when there is a post request, your page won’t waste resources and won’t output php errors in response to search engines indexing your site.
I'm not requiring any fields, all fields are optional. People are welcome to submit a request without giving a name.
Then, the ‘requests’ field is required and you don’t want to waste time and resources inserting data if the ‘requests’ is empty.
All I *want* to do is trim out the apostrophes and replace them with the correct character entity.
No, that’s not what you want. I believe my reply above this on addresses why you are getting the error response, but your web host should be able to give you definitive information. There are several hundred million web sites that happily accept data containing single-quotes. When you have a problem in a technical subject like programming, you must find the actual cause of the problem before you can fix it, otherwise all you are doing is trying to make symptoms disappear by putting a band-aid over the top of them. This just wastes a bunch of time.
Arrays are variables with more than one dimension. Arrays are for sets of data, that will be treated the same. If you had any algebra in school, you should have seen arrays for sets of numbers. Arrays will let you loop over data, rather than writing out code for each possible variable. Programming is already a tedious and error prone typing-activity. By cutting down on the repetitive coding, you will save time when writing, testing, and debugging problems. It wold be to your advantage to do some research and experimenting on using arrays.
The examples in the php.net documentation do show WHAT code does. It’s up to the programmer to take what the code does and use it where will accomplish something useful. For example, converting from msyqli to PDO. What basic tasks are you using mysqli for in your code -
-
Making a database connection.
-
Forming and running sql queries - SELECT and INSERT (and later UPDATE and DELETE and a few others.)
-
For SELECT queries, testing the number of rows the query matched and fetching the data from the query.
All you would need to do is learn what the equivalent PDO statements are for these tasks.
Using prepared queries involves using place-holders in the sql query statements, instead of putting variables in directly. This actually simplifies the sql syntax, since any single-quotes you have around string values will be eliminated. Instead of executing the query you have formed, you prepare it, then there is an additional execution() step, where you supply the actual data values and cause the query to be executed with that data (you can repeat the data/execution step multiple times, without needing to prepare the query again.) It is here the the PDO extension becomes much simpler than the mysqli extension. The mysqli extension requires an explicit bind step before execution and fetching data from a mysqli prepared query requires binding result variables in adding to calling a fetch statement.